Data Processing Agreement

Effective January 1, 2026

This Data Processing Agreement ("DPA") supplements the Terms of Service between Opervex, LLC ("Processor," "Leadality") and the Agency Customer ("Controller," "you"). It governs the processing of Consumer personal data delivered through the Service.

1. Roles

For Consumer personal data delivered to you through the Service, you are the Controller (you decide how to use each lead to provide a quote, contact the consumer, and store any policy-related records). Leadality is the Processor during the sourcing + enrichment + consent capture phase, and acts as Joint Controller with you for the moment of consent capture (since both names appear in the consent disclosure).

2. Categories of data processed

  • Identity (name)
  • Contact (phone, email, ZIP)
  • Property + mortgage context (address, loan amount, lender, date)
  • Date of birth (where available)
  • Consent evidence (disclosure text, version, IP, user agent, TrustedForm cert)

3. Categories of data subjects

U.S. consumers who have submitted a quote request on your branded landing page.

4. Purpose of processing

Solely to facilitate your provision of life insurance quotes to consenting consumers. Not for any other product, not for resale, not for cross-sell into adjacent verticals.

5. Your obligations as Controller

  • Use the data only for the purpose above
  • Honor opt-outs (STOP, unsubscribe, revocation requests) within 10 business days at the latest — preferably immediately
  • Maintain reasonable administrative, technical, and physical safeguards consistent with industry best practice (encrypted at rest, access controls, audit logging)
  • Notify Leadality without undue delay (and in any case within 72 hours) of any personal data breach involving consumer data we delivered to you
  • Cooperate with Leadality on any consumer rights request that requires deletion or correction on your systems
  • Comply with all applicable laws — TCPA, CAN-SPAM, CCPA/CPRA, VCDPA, CPA, CTDPA, TDPSA, OCPA, and any future U.S. state privacy law

6. Sub-processors

Leadality engages the following sub-processors as Joint Controller / Processor for the platform:

  • Supabase, Inc. — database + auth (US-East)
  • Vercel, Inc. — hosting + edge network
  • Stripe, Inc. — payments
  • Resend, Inc. — transactional email
  • Twilio, Inc. — SMS
  • Anthropic, PBC — AI personalization (no PII names sent — only banded mortgage amount, city, lender)
  • ActiveProspect, Inc. — TrustedForm consent certificates
  • Enrichment providers (e.g., Tracerfy, BatchData, Whitepages Pro) for the records sourcing phase only — these do not receive Consumer data, only public-records addresses + names

We will give you 30 days' notice of any new sub-processor that receives Consumer personal data and the option to terminate if you reasonably object.

7. Cross-border transfers

All Consumer data is processed in the United States. We do not transfer Consumer personal data outside the U.S. except as required by U.S. law.

8. Data subject rights

Upon receipt of a Consumer rights request (access, deletion, correction, opt-out of sale/sharing), Leadality will:

  • Process the request on its systems within statutory timelines
  • Forward the request to you so you can process it on your systems
  • Coordinate with you on any joint response required

9. Security incident response

Each party will notify the other without undue delay (and within 72 hours where feasible) of any confirmed security incident involving Consumer personal data. We will cooperate in good faith on investigation, notification, and remediation.

10. Return + deletion on termination

Upon termination of the Service relationship, Leadality will:

  • Stop delivering new Consumer data immediately
  • Provide a final data export upon request within 30 days
  • Delete Consumer data from active systems within 90 days, except where retention is required by law (e.g., consent records as TCPA defense)

11. Audits

Once per calendar year, on reasonable notice, you may request a SOC 2-style summary of our security controls. On-site audits require mutual scheduling and signed NDAs.

12. Liability

Liability under this DPA is governed by the limitation-of-liability provisions of the Terms of Service.

13. Acceptance

Acceptance of this DPA occurs by accepting the Terms of Service during signup. No separate signature is required, although we will provide a countersigned PDF on request.